[97224] in North American Network Operators' Group
Re: Security gain from NAT (was: Re: Cool IPv6 Stuff)
daemon@ATHENA.MIT.EDU (Edward B. DREGER)
Mon Jun 4 18:04:14 2007
Date: Mon, 4 Jun 2007 21:12:05 +0000 (GMT)
From: "Edward B. DREGER" <eddy+public+spam@noc.everquick.net>
To: nanog@merit.edu
In-Reply-To: <E1HvI6Y-0008Mb-7u@mail.shankland.org>
Errors-To: owner-nanog@merit.edu
JS> Date: Mon, 04 Jun 2007 12:20:38 -0700
JS> From: Jim Shankland
JS> If what you meant to say is that NAT provides no security benefits
JS> that can't also be provided by other means, then I completely
What Owen said is that "[t]here's no security gain from not having real
IPs on machines". That is a true statement.
Moreover...
Provider: "We're seeing WormOfTheDay.W32 from 90.80.70.60."
Downstream: "That's our firewall."
Provider: "Chances are you have one or more compromised hosts behind
your firewall."
Downstream: "But we have 150 workstations. How do we find which
one(s)?"
Bonus points for finding downstreams who understand "NIDS", "monitor
port", "state mapping tables", et cetera. :-)
In the big picture, I submit that NAT *worsens* the security situation.
Of course, the cost falls to "other people" -- a topic that inevitably
launches a protracted thread.
Eddy
--
Everquick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
